Oct 07 2020
- last edited on
Jan 14 2022
This might be a dumb question but why do conditional access policies not apply to entities accessing AzureAD via an app registration? We are building some automation scripts to run in our DataCentre as per this guide. Security teams have been asking how to lock down script access so that AzureAD only accepts connection from our DataCentre. If this was an AzureAD user we could do this via conditional access but it's not.
Oct 08 2020 09:32 AM
Not sure what kind of answer you are expecting here, app logins simply arent supported for CA. On the positive, Microsoft just started surfacing login events for such scenarios, so hopefully CA will follow soon.
Oct 08 2020 04:28 PM
Thanks@Vasil Michev . I guess I am asking 'Why are they not supported' ? It seems like having simple IP restriction capability against them is highly desirable. I know app registrations are available on the free tier and conditional access is not. Perhaps that is one driver behind the scenes (who knows).
I guess a clientID/Secret combination or clientID/Cert is difficult to brute force?
Oct 09 2020 02:04 AMSolution
That's something only Microsoft can answer. But the reality is that you cannot limit logins, at least for the time being.